Instances of business email compromise (BEC) – a targeted form of phishing in which attackers try to scam companies out of money or goods or trick employees into giving up sensitive info – have continued to increase, causing devastating impacts. Last year, the FBI’s Internet Crime Complaint Center (IC3) reported $43 billion of global exposed losses due to BEC between 2016 and 2021.
Additionally, a Data Breach Investigations Report from Verizon showed that web applications and email are the top two vectors for breaches. Because they’re often internet-facing, web apps and email can provide a useful avenue for attackers to try and slip through an organization’s perimeter – and their tricks are only growing more sophisticated.
So what can security teams and end users do to combat these increasingly sophisticated email threats? Here are a few tips on how to keep email attacks from getting through.
Watch out for evolving phishing attempts
Many successful email compromises can be attributed to phishing attacks becoming more advanced. Historically, BEC would entail a bad actor stealing a user’s alias and password – maybe by sending them a fake Office or Google login form to fill out – and hoping they don’t encounter multifactor authentication (MFA), which could remediate the attack.
However, the last few years have seen new approaches, like an increase in the use of social engineering to secure MFA tokens, where bad actors trick users into providing their one-time MFA passcode. The attacker may try push bombing, where they spam the end user with notifications to authenticate until the user finally accepts it out of fatigue. Or they may use newer malicious proxies and tools that adopt the traditional phishing approach of stealing a username and password by sending a fraudulent link for the user to click. But these proxies can bypass MFA by completing the entire authentication transaction and securing an authenticated session.
Unfortunately, all these new approaches and commoditized tools mean BEC continues to be a lucrative attack vector for malicious actors. With defense often one step behind, end users must stay vigilant. Whenever something looks suspicious, rely on other communication channels to confirm a message’s legitimacy before carrying out an action that could be damaging to you or your organization.
Adopt a layered security approach
There is no magic bullet to cybersecurity; you can’t rely on a single control, policy, or training session for end users. Therefore, a layered approach with various tools, procedures, and training is necessary to be effective. Should one layer fail, another will be there to pick up the slack.
Security teams must identify the technical controls they can implement to minimize the impact of phishing in the instance that an attack gets through. A DNS firewall prevents network users and systems from connecting to known malicious internet locations and can effectively neutralize links to a bad destination. To combat malware, proactive anti-malware tools can monitor unusual behavior (instead of using signature-based detection) to identify malicious software and keep it from infecting computers and other devices.
Make sure to employ tools that can quickly identify and respond to attacks that slip through the cracks. Strong endpoint detection and response (EDR) tools can enhance visibility within your network to detect malicious activity and act on it before the incident grows. Finally, leverage MFA, as it remains the single best measure a security team can implement to protect against authentication attacks. Reinforce MFA with social engineering training for end users so that this line of defense remains strong.
Build a security-first culture
Most security professionals understand that no defense is perfect, especially with human behavior involved. They recognize the need for security awareness training since a successful attack is often the result of human error. The importance of training only grows as the methods for deceiving end users continue to evolve.
Security teams must continuously train users to be hyper-aware of business email compromise. Put a heavy emphasis on email phishing, spear phishing and social engineering. Since many attacks can come from vectors beyond email – via text message, over WhatsApp or other messaging applications, or voice calls via deepfake software – it’s important that users understand the entire range of threats.
Building a culture that promotes security awareness and in which users are comfortable coming to the IT team to flag an issue or suspicious activity is key. If a user is the victim of a phishing attempt, empower them to quickly notify IT so the threat can be addressed swiftly. Shaming them will only have negative consequences. You don’t want a user to hide a mistake they made, resulting in further risk of damage to the organization. Create a culture where users feel they are part of the security team and on the lookout for phishing attempts and malicious activity. More watchful eyes will create strength in numbers.
A skeptical mindset is a necessary tool in the current threat landscape. A bad actor will often compromise the account of a familiar party like a co-worker, partner, or vendor and use that in a phishing attempt. Remember: A message that appears to be from a trusted source isn’t always a trusted message. Take an extra second to double-check suspicious requests and cover your bases. Staying alert is the best protection you can have.
When it comes to email or other messaging-based cybersecurity threats, the reality is you will never get the click rate down to zero. But your security team should focus on getting your click rate as low as possible so your technical controls can pick up the slack wherever it’s needed.
______________________________________________________________________________________________________________________________________
Trevor Collins, is a Network Security Engineer at WatchGuard Technologies.
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!